RFR: 8341964: Add mechanism to disable different parts of TLS cipher suite [v4]
Artur Barashev
abarashev at openjdk.org
Fri Nov 1 17:10:27 UTC 2024
On Fri, 1 Nov 2024 15:04:47 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
> Did you consider the option to support cipher suite regex Pattern, for example TLS_RSA_* for the restriction? The update is little bit complicated to me.
Yes, I think we mentioned using regex during our internal discussions. We also consider a much simpler solution that would be fine for a one-off case but it's kind of hacky: use `RSA-kx` in the config file and also add it to `SSLAlgorithmDecomposer#decomposes(CipherSuite.KeyExchange keyExchange)`. I approached this task not as a one-off case but as an expandable design to disable parts of TLS cipher suite. So we can easily expand it by adding new bulk or hash parameters to disable certain algorithms to be used as bulk ciphers or hash functions.
About using wildcards: that's definitely worth considering, I may put together an alternative PR that uses wild cards (true regex is not really needed here, not as user-friendly too). It would not be as user-friendly as `RSA kx` though, the end-users need to know exactly what they are doing, i.e. they need to know the exact format of cipher suite name, etc. Since this config values are used to disable both a simple algorithm and a complete cipher suite, the wild card would apply to both, co putting something like `*ECDH*` would disable whole bunch of algorithms and cipher suites.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/21577#issuecomment-2452251214
More information about the security-dev
mailing list